Privacy Policy

Last updated: 20 June 2026

This Privacy Policy explains how WhiteBoar ("WhiteBoar", "we", "us") handles personal data in connection with WhiteBoar (the "Service").

WhiteBoar is used by businesses to collect insights from their experts and turn them into content. For the personal data that a customer business uploads or generates through the Service — including data about its experts and contributors — that business is the data controller and WhiteBoar acts as a processor on its behalf, under its instructions and any applicable Data Processing Agreement. For data we handle for our own purposes — such as managing accounts, billing, security, and improving the Service — WhiteBoar is the controller. This Policy describes both roles.

1. Personal data we process

Account and manager data: name, email address, organization name, authentication identifiers, and settings.

Expert and contributor data: name, email, WhatsApp phone number, language, role, consent status and timestamps, and the messages, voice notes, and transcripts a contributor sends.

Content data: the insights, knowledge records, drafts, social posts, images, and connected-account metadata created or managed in the Service.

Technical and usage data: log data, device and browser information, IP address, approximate location derived from it, and analytics about how the Service is used.

2. How we collect personal data

We collect data you provide directly (for example when you register, complete onboarding, or invite an expert), data contributors send through WhatsApp, data generated as you use the Service, and data received from connected third-party platforms you authorize (such as social or publishing accounts).

3. Purposes and legal bases

As processor, we process customer and expert data only to provide the Service to the controller and on its instructions; the legal basis for that processing rests with the controller.

As controller of our own operational data, we rely on:

  • performance of a contract — to create and manage accounts and deliver the Service;
  • legitimate interests — to secure, maintain, and improve the Service, prevent abuse, and communicate about it, balanced against your rights;
  • legal obligation — to comply with law, including tax and accounting duties;
  • consent — where required, for example certain communications or non-essential cookies, which you can withdraw at any time.

4. WhatsApp and messaging

WhiteBoar communicates with experts over WhatsApp using a single business number. A contributor is contacted only after the customer confirms a lawful basis and the contributor opts in. We log each consent event (including timestamps) as a record of opt-in, and we honor opt-out requests. Message content, voice notes, and transcripts are processed to produce knowledge records and drafts for the customer.

5. AI processing and sub-processors

To transcribe voice notes and generate drafts, translations, and images, we use AI models and supporting infrastructure provided by sub-processors, accessed through a model gateway. These sub-processors process the relevant content only to perform the requested task and under contractual confidentiality and security obligations. We do not permit them to use customer content to train their general models where such use can be disabled, consistent with our agreements.

Other sub-processors provide hosting, database, storage, email delivery, and analytics. A current list of sub-processors is available on request, and where we act as processor we provide notice of changes as required by the Data Processing Agreement.

6. How we share personal data

We share personal data with: the sub-processors described above; the third-party publishing and social platforms you connect, when you choose to publish content to them; professional advisers, auditors, and authorities where required by law; and an acquirer in connection with a merger, acquisition, or sale of assets, subject to this Policy. We do not sell personal data.

7. International transfers

We are based in the EU and prefer to process data within the EU/EEA. Some sub-processors may process data outside the EU/EEA. Where they do, we rely on an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with supplementary measures where needed.

8. Retention

We keep personal data for as long as needed to provide the Service and for the purposes described in this Policy. As processor, we retain customer and expert data for the duration of the customer’s account and delete or return it within a reasonable period after the account ends or on the controller’s instruction, unless retention is required by law. We may keep limited records (for example consent logs and billing records) where necessary to meet legal obligations or establish, exercise, or defend legal claims.

9. Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, encryption of stored credentials, access controls and least-privilege scopes, tenant isolation, and safeguards against server-side request forgery on URL ingestion and in-generation fetches. No system is completely secure, but we work to protect personal data and to detect and respond to incidents.

10. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, and object to the processing of your personal data, and the right to data portability. Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

If a customer business is the controller of your data — for example if you are an expert invited by your employer — please direct your request to that business; we will assist them as their processor. For data we control, contact us using the details below. You also have the right to lodge a complaint with a supervisory authority.

11. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate the Service (for example to keep you signed in and to secure your session) and, where applicable and with consent, a limited set for analytics. You can control non-essential cookies through your browser or any cookie controls we provide.

12. Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it.

13. Changes to this Policy

We may update this Policy from time to time. When we make a material change, we will update the effective date and, where appropriate, provide additional notice. Your continued use of the Service after the change takes effect constitutes acknowledgment of the updated Policy.

14. Governing language and contact

This Policy is published in English, Italian, and Polish. The English version is the authoritative text; in case of any discrepancy, the English version prevails.

For privacy questions or to exercise your rights, contact WhiteBoar at privacy@whiteboar.it.